Validate jwt token option

[astrixj]

Hi,

we are considering to use the library for oidc scenario , we made some test which working ok. my only question if there is an option somethow to omit the validate jwt token function? I know that this is not part of the spec, but we must have it, is there a way ?

Thanks

[panva]

@astrixj there isn’t and won’t be. Validating the ID Token is a required step.

[panva]

If you wish to omit validating the signature the configuration of some providers (not common tho) in some scenarios (code flow only) allows for the use of JWS alg: none, in which case only claim validation would be performed.

[astrixj]

@panva - not sure that I got it, where should I put the none ? is there example ? you mean in this point of code ?

    const client = new oidc.Client({
        client_id: ClientId,
        token_endpoint_auth_method: 'client_secret_basic'
    });

[panva]

@astrixj this is a configuration you'd look for at your identity provider. If they provide it, you'd configure the client with id_token_signed_response_alg: 'none'. Without the accompanied setting in your identity provider tho, this leads nowhere.

If I may ask, what's the reason why you MUST have the option to skip on a key assurance when it comes to validating IdP assertions?